Applications are moving away from the desktop and onto the web. With technologies like AJAX and Flash and the popularity of Mash-Ups and social networks, web application penetration testing is becoming increasingly important. Pushes for penetration testing are being driven by compliance, regulation, and a desire to not end up on the evening news, so a quality web application penetration testing class has been long overdue. SANS has stepped up to the plate and re-released SEC542 Web App Penetration Testing and Ethical Hacking as a 6-day course with stronger hands-on exercises and culminating with a final day where students perform a penetration test on the classroom network. The original course was a 4-day version, but Kevin Johnson of InGuardians has updated and enhanced the content to contain many of the cutting-edge web application hacking techniques seen in the field today.

I recently had the opportunity to take the re-born SEC542 course in Orlando, Florida as part of the SANS 2009. SANS 2009 was one of the larger yearly conferences that SANS offers with quality evening talks after classes which offered additional content for no additional cost. Some of SANS higher profile members presented fresh content ranging from Josh Wright's talk on the risks associated with using personal wireless devices such as the Nike +iPod titled "Privacy Loss in a Pervasive Wireless World" to Ed Skoudis' talk on cutting-edge tricks and techniques in "Secrets of America's Top Pen Testers." The secondary benefit of the large conferences was the ability to network with instructors and peers. There were frequent opportunities to hang out and talk with SANS instructors and other students after hours, with impromptu events such as full-contact mini-golf, dinner and karaoke. It is commonly known that an event is what you want to make of it, and SANS 2009 came through in spades in providing an educationally rich environment. So if an attendee didn’t take advantage of networking with those in the industry, then it certainly wasn’t SANS fault.

This is my take on it, not part of the review because this is very subjective and not really an objective look at the course, but, that is an excellent question, and I'm glad you asked. Most of the things that folks want to learn can be found in a book or online, whether it is calculus or hacking. Knowing that you can use burp proxy to do web pen testing, and knowing that it has x y and z options does not tell you how, when, or where to apply it.

Part of the value of a course is the ability to ask questions and ask for direction. Sure.. there are other venues where you can ask questions, but if you have the option of having hands on explanation on how to do something from a jedi master, then that is something valuable. With other venues, your mileage may vary, and they will rarely show you what you are doing wrong in an interactive way where you can have immediate feedback and you can make sure you have a full understanding when you walk away.

I would say that the value of SANS courses lies partially in the tools that you learn, partially in the knowledge of how to implement them, and partially in the experiences that the teachers shares around real world usage and scenarios . What sets SANS aside from other teaching institutions is the real word experience and techniques for application of the tools. The SANS instructors are not just instructors, they are practitioners as well. Knowing not just what Paros proxy does, but knowing when to apply it vs Burp or WebScarab has a lot of value. That sort of information you probably won't get from a webpage, you might get from a forum, but in most cases talking to Kevin Johnson will get you the right answer.

If I had unlimited time, there are lots of things that I'd like to learn. I could read the books, try to figure out the exercises, spend some time getting frustrated because something didn't work, and I'd eventually get it. Why I like SANS, and why I keep going back, is because when I leave a SANS course I feel like I've had a MAC truck full of information driven into my head, with exercises to drive the information home, and when I go back to my office, I've got stuff that I can start doing. It may not be at the same level as the instructor, but after each SANS class I've taken I've been able to build upon that knowledge immediately.

On a personal note, I would have to say that SANS is a huge jump start. When I took 504, I had some basic stuff that I was doing, and after 504, I had really kicked it up a notch. I was using nmap more effectively, my metasploit fu was vastly improved, I started writing vbs scripts using wmic as soon as I got back to do incident response and all of that goodness.

After I took 560, I started writing my own metasploit additions, started playing with writing my own nmap NSE scripts, and had another huge jump from where I was after 504. This may or not be typical, I don't know, but if you are reading man pages for your docs, I wouldn't say it's out of the question. 560 was another enlightenment for me, some of the things I'd been struggling with on my own were a lot more clear, and during the capture the flag on the last day.. walking away I just kinda got it.

With 542, I had played with BeEF some, I've used Paros and such, but much of the information was really driven home.After 542, I felt like I "got it" a lot better. Many of the things that I'd been missing tool wise were now there, and a lot of aspects that I didn't really understand completely why they were bad and how to exploit them I had gotten a hands on demo with and had been able to talk to the instructor in depth about. I'd never spent much time busting apart Flash applications and messing with them, but I sure as heck do now. I'd never really spent much time comparing the minor differences between web pages when I gave them valid and invalid information to see what happens, but now I do, and I can do it more efficiently and quickly.

Having this course through SANS is great, I hope that they do a higher level course with more ninja skills in it. I definitely picked up some great stuff in the class, but there is a big focus on tools. Looking through the course though, you go from evaluating web servers, to evaluating web code, to evaluating implementation, to evaluating applets, to evaluating logic. I don't think that it's reasonable to be an expert in all of those after once class, but if you aren't already a full time web pen tester and doing all of these things, this will be a huge shove in the right direction for you.

If you are tight on cash, there are things that you can do to bring down the price of classes. Things like the Mentor program, or offering to TA or host a class locally all can bring down the price of the course.

Sorry of this is a little disjointed, I probably shouldn't be writing more than a sentence or two response after 1AM